Web of intrigue: protecting ports against cyber-terrorism

A cyber attack by drug traffickers at the Belgian port of Antwerp has focused attention on security at the world's maritime gateways. Julian Turner reports on the threat level in Europe and the US, and investigates measures being employed by coastal authorities to fight back against the hackers.

For centuries, the humble stevedore or dock worker was, almost single-handedly, responsible for managing the flow of maritime commerce around the world, loading and unloading ships at coastal hubs and securing them against the ever-present threat of smuggling, piracy and illegal immigration.

In 2013, however, the war against organised crime and terrorism is increasingly being fought online, as port facilities rely instead upon networked computer and control systems to manage security – and this technology is under threat from resourceful hackers employed by criminal gangs.

One such attack on the Belgian port of Antwerp in 2013 threw the issue into sharp relief. During a two-year period beginning in 2011, drug traffickers based in the Netherlands concealed heroin and at least a tonne of cocaine with a street value of £130m inside legitimate shipping cargoes.

"Technological dependence has not been accompanied by clear cyber-security standards or authorities."

The gang then recruited computer hackers to infiltrate IT systems controlling the movement and location of containers.

Armed with this supposedly secure data, the traffickers were able to identify which containers contained the drugs and send in lorry drivers to steal them. Brazen in conception and execution, the attack has put port authorities on both sides of the Atlantic on alert.

"[The case] is an example of how organised crime is becoming more enterprising," Rob Wainwright, director of EU law enforcement agency Europol, told the BBC.

"We have effectively a service-orientated industry where organised crime groups are paying for specialist hacking skills that they can acquire online."

Cyber-terrorism to order: how hackers infiltrated the port of Antwerp

The multiphase attack has many of the hallmarks of an advanced persistent threat (APT), a form of internet-enabled espionage that targets business or political targets over a prolonged period.

The hackers began by emailing malicious software to staff at the port of Antwerp, enabling them to remotely access sensitive logistics data. When this security breach was discovered and a firewall installed, the perpetrators then broke into company offices and concealed sophisticated data interception hardware in everyday objects, such as cabling devices and computer hard drives.

Key loggers, small devices not unlike USB sticks, were used to log keyboard strokes and screenshots from workstations, giving the traffickers a comprehensive record of everything that staff had typed.

"After the port successfully detected the attack against their computer systems, they failed to map out other attack paths which allowed the attackers to achieve their objectives in this case," said Alex Fidgen, director of UK-based IT security firm MWR InfoSecurity.

"This demonstrates how important it is to not only focus on single systems but get a full overview of your organisation and the potential weaknesses in penetration testing exercises."

Coordinated software and hardware attacks that once targeted large financial institutions are now becoming more commonplace, as cyber-criminals look to infiltrate mainstream businesses.

"This attack played out somewhat like an APT," notes Fidgen. "They were apparently active for around two years, and were able to make use of advanced techniques with seemingly professional execution. However, this is what anyone can now buy on the black market as a service, so far from just being available to a nation state, anyone with money can purchase these services.

"It shows that the types of attacks like this aren’t hypothetical and businesses should be doing penetration testing exercises to make sure that they have not been compromised," he added.

Mind the gap: report highlights lack of investment in US port security

A recent study in the US found that, despite millions of federal dollars being spent on port security, many coastal hubs remain ill-equipped to deal with the latest wave of cyber threats. The report by Coast Guard Commander Joseph Kramek also acknowledged that facilities were increasingly reliant on sophisticated technology to protect the uninterrupted flow of maritime commerce.

"Unfortunately, this technological dependence has not been accompanied by clear cyber-security standards or authorities, leaving public, private and military facilities unprotected," the study said.

Published by the Brookings Institution, The Critical Infrastructure Gap: US Port Facilities and Cyber Vulnerabilities cited a recent US National Intelligence Estimate (NIE), which concluded a cyber attack on US port infrastructure – everything from data storage facilities and software controlling physical equipment to electronic communications – was as likely as a conventional one.

"Security, even port security, is often divided into two domains: physical security and cyber security," the study stated. "In today’s interconnected society, however, these two domains cannot be considered in isolation."

The report also noted that of the $2.6bn allocated to the post-9/11 Port Security Grant Programme (PSGP) in the past decade, less than $6m (less than one percent) was awarded to cyber-security projects. Forensic analysis of six major US ports revealed that only one – the Port of Long Beach in California – had conducted a cyber-security vulnerability assessment and not a single one had a response plan.

The report lists a series of recommendations, chief among them legislation that gives the US Coast Guard authority to enforce cyber-security standards for maritime critical infrastructure, as well as increased finding from the PSGP to pay for cyber-security technology and training.

New frontiers: TALON 13, the virtual port and the wider threat

Governments are beginning to take the fight to the hackers in the form of leading-edge technologies designed to protect existing computer networks and neutralise kinetic – or actual armed – attacks.

Part of the Nato Defence Against Terrorism (DAT) programme, TALON interprets data from underwater and land-based radar, sonar and cameras, assesses the threat level and sets up autonomous reactions ranging from an audible warning to the deployment of an entanglement device. A human operator monitors the system in real-time on a network tablet computer.

"The Port of Long Beach reports two to three ‘cyber storms’ a year by hackers using DDOS or other volume-type attack methods."

In the US, the Port of Long Beach reports two to three ‘cyber storms’ a year caused by hackers using distributed denial of service (DDOS) or other volume-type attack methods.

In response, the facility is developing the virtual port system, a computer network that integrates secure data from federal agencies and private terminal operators. It has also banned commercial internet traffic from its network; invested nearly $1m in commercial applications to monitor network activity, intrusions and firewalls; mapped its networked systems and access points; designated controlled access areas for its servers and backed up and replicated key data off-site.

The Brooking Institution report notes that 95% of US trade is handled by ports, while international maritime trade exceeds 30% of the nation’s global domestic product.

"In certain ports, a cyber disruption affecting energy supplies would likely send not just a ripple but a shockwave through the US and even global economy," the study said.

Nor is the threat confined to the US and Europe. In October, a malicious computer programme known as a Trojan Horse was credited with disabling security cameras in the Carmel Tunnels toll road in northern Israel, causing massive traffic congestion for more than eight hours.

In his State of the Union address, US President Barack Obama acknowledged that cyber attacks against transport hubs and critical infrastructure were increasing in volume and sophistication.

"America must also face the rapidly growing threat from cyber attacks… our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," he said. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."